ERMAN TAŞKIN
www.ermantaskin.com/bcm
ERMAN TAŞKIN
İş Sürekliliği Yönetim Süreci ve Karar Verme Metodolojisi
BC Decision Making Methodology
AGENDA
1.BCM Organization Understanding2.BCM Impact Analysis Process3.BCM Strategy4.BCM Implementation Methodology
Documentation
www.ermantaskin.com/bcm
ITIL(ITSCM) & BS25999
BCM Program Management
Based on BS2599
BCM Documentation
Understanding the organization
BCM Decision Making
BCM Decision Making
Assess cirtical services impactsEstablish maximum tolerable period of disruptionIdenfity any inter-dependent activitiesService Catalog investigation CMDB usage for relationships definition
Business Impact
Analysis
Identification of critical activities
Determining Continuity
Requirements
Risk assessment
Determining choices
BCM Decision Making
Assess operational processesDetermine financial values of services and
activitiesConsider SLA targetsUse Availability PlanUse Availability Reports
Business Impact Analysis
Identification of critical activities
Determining Continuity
Requirements
Risk assessment
Determining choices
BCM Decision Making
Staff resourcesWork siteSupporting technologyProvison of informationExternal services and suppliers
Business Impact Analysis
Identification of critical activities
Determining Continuity
Requirements
Risk assessment
Determining choices
BCM Decision Making
Level of risk should be understood specifically
Choosing risk assessment approachElements that risk assessment process
includeDetermination of criteria for risk acceptanceIdentification of acceptable levels of riskAnalysis of the risks
Business Impact Analysis
Identification of critical activities
Determining Continuity
Requirements
Risk assessment
Determining choices
BCM Decision Making
Do nothingManual Work-aroundsReciprocal arrangementsGradual Recovery (cold stand by)Intermediate Recovery (warm stand by)Immediate Recovery (hot stand by)
Business Impact Analysis
Identification of critical activities
Determining Continuity
Requirements
Risk assessment
Determining choices
Business Impact Analysis Process
Set up an impact analysis project
Identify a project coordinator to carry out the business impact analysis.
Define the objectives and scope of the business impact analysis project.
Choose an appropriate methodology or tool for carrying out BIA. Create a work schedule and project plan. Launch the business impact analysis project.
Evaluate the effects of disruption and the impacts on operations
Effects of disruption Loss of assets
Key personnel Physical assets Information assets Market share
Disruption to the continuity of services and operations Violation of a law or regulation Negative public perception
Effects of disruption on the company’s operations Financial Clients and suppliers Public relations Legal Regulatory considerations and requirements Environmental Operational Delays Credibility Other resources
Evaluate the effects of disruption and the impacts on operations
Determine loss exposure
QuantitativeRevenue lossFinancial penaltiesGross cash flow Accounts payableLegal liabilitiesHuman resourcesAdditional expensesHigher cost of work
QualitativeHuman resourcesMoraleConfidenceLegalSocial and corporate imageFinancial credibility
Evaluate the effects of disruption and the impacts on operations
Business impact analysis - data collection
Gathering data using a questionnaire
Understand the importance of the questionnaire’s conception and distribution.
Clearly explain the rationale for the questionnaire. Offer support to personnel while they complete the
questionnaire. Review completed questionnaires. Conduct follow-up discussions to obtain clarifications
Business impact analysis - data collection
Gathering data through interviews
Explain the purpose of the interview. Clearly establish the type of information that is being looked for. Compile a list of elements to cover during the interview Consult the list throughout the meeting to ensure none are omitted. Plan follow-up interviews
Gathering data through workshops
Set up a workshop schedule Compile a list of objectives to be met. Identify the appropriate level of participation from managers Identify an appropriate evaluation area, Identify the equipment needed and personnel availability. Interact with personnel during the workshops and discussions. Ensure that workshop objectives are met. Ensure that all possible impacts raised during workshops are written
down.
Business impact analysis - data collection
Decide upon data analysis methods (manually or using a computer). Assess the potential financial and non-financial impacts of the risks
compiled. Prepare business impact analysis report
Prepare drafts of the business impact analysis report, including the list of impacts.
Provide participating managers with a draft report and ask for their comments. Review the managers’ feedback Plan a meeting with participating managers to discuss the initial findings. Prepare and make formal presentations to colleagues and executives regarding
the findings
Business impact analysis - data collection
Define business functions and critical data
Establish a definition of what is “critical” for the organization With management, identify one or more critical levels.
financial (loss of revenue, cost of recovery) recovery time. With these two criteria, it is possible to classify
impacts as: critical & major & minor.
Identify vital data for ensuring BC and the recovery of the organization’s operations. Identify support teams. Identify interdependencies
Prioritize critical elements for the organization in the impact mitigation process.
Determine the time and resources necessary for recovery
Define recovery processes for critical business functions based on criticality criteria Determine the order of recovery for critical business functions Determine the minimum resource requirements for recovery
Internal and external resources. Resources owned or not Existing and accessible resources.
Evaluate the maximum period of time Evaluate the maximum period of time during which information can remain
unavailable. Evaluate how long information can be allowed to “age” without being updated. Evaluate the amount of information that can be lost without causing major
prejudice to the organization. Evaluate the limit beyond which the company’s operations will sustain major
prejudice due to the disruption.
Identify business processes
Interrelation between business processes Processes dependencies
InternalExternal
In terms of technology
Determine replacement times
EquipmentSostwaresDataKey personnelRaw material
Determining BC StrategyPeopleLocationsTechnologyInformationSuppliesStakeholdersCivil emergencies
BCM Implementation Methodology
BCM implementation documentation
www.ermantaskin.com/bcm